Merge pull request Pennyw0rth#361 from Pennyw0rth/dcom_fix

Fix mmcexec method thanks to @IppSec AND a lot of other small things

Author: mpgn

nxc/connection.py

@@ -85,6 +85,8 @@ def get_host_addr_info(target, force_ipv6, dns_server, dns_tcp, dns_timeout):
 def requires_admin(func):
     def _decorator(self, *args, **kwargs):
         if self.admin_privs is False:
+            if hasattr(self.args, "exec_method") and self.args.exec_method == "mmcexec":
+                return func(self, *args, **kwargs)
             return None
         return func(self, *args, **kwargs)
 
@@ -146,6 +148,7 @@ def __init__(self, args, db, target):
         self.kdcHost = self.args.kdcHost
         self.port = self.args.port
         self.local_ip = None
+        self.dns_server = self.args.dns_server
 
         # DNS resolution
         dns_result = self.resolver(target)
@@ -541,7 +544,7 @@ def login(self):
 
         if hasattr(self.args, "laps") and self.args.laps:
             self.logger.debug("Trying to authenticate using LAPS")
-            username[0], secret[0], domain[0], ntlm_hash = laps_search(self, username, secret, cred_type, domain)
+            username[0], secret[0], domain[0] = laps_search(self, username, secret, cred_type, domain, self.dns_server)
             cred_type = ["plaintext"]
             if not (username[0] or secret[0] or domain[0]):
                 return False

nxc/modules/add-computer.py

@@ -102,8 +102,9 @@ def do_samr_add(self, context):
             None
         """
         string_binding = epm.hept_map(self.__host, samr.MSRPC_UUID_SAMR, protocol="ncacn_np")
+        string_binding = string_binding.replace(self.__host, self.__kdcHost) if self.__kdcHost is not None else string_binding
 
-        rpc_transport = transport.DCERPCTransportFactory(string_binding.replace(self.__host, self.__kdcHost))
+        rpc_transport = transport.DCERPCTransportFactory(string_binding)
         rpc_transport.setRemoteHost(self.__host)
 
         if hasattr(rpc_transport, "set_credentials"):

nxc/modules/laps.py

@@ -45,12 +45,12 @@ def on_login(self, context, connection):
                 values = {str(attr["type"]).lower(): attr["vals"][0] for attr in computer["attributes"]}
                 if "mslaps-encryptedpassword" in values:
                     msMCSAdmPwd = values["mslaps-encryptedpassword"]
-                    d = LAPSv2Extract(bytes(msMCSAdmPwd), connection.username if connection.username else "", connection.password if connection.password else "", connection.domain, connection.nthash if connection.nthash else "", connection.kerberos, connection.kdcHost, 339)
+                    d = LAPSv2Extract(bytes(msMCSAdmPwd), connection.username if connection.username else "", connection.password if connection.password else "", connection.domain, connection.nthash if connection.nthash else "", connection.kerberos, connection.kdcHost, 339, connection.dns_server)
                     try:
                         data = d.run()
                     except Exception as e:
-                        self.logger.fail(str(e))
-                        return
+                        context.log.fail(str(e))
+                        continue
                     r = json.loads(data)
                     laps_computers.append((str(values["samaccountname"]), r["n"], str(r["p"])))
                 elif "mslaps-password" in values:

nxc/protocols/ldap.py

@@ -172,12 +172,12 @@ def get_ldap_info(self, host):
                     self.logger.debug(f"ldap_connection: {ldap_connection}")
             except SysCallError as e:
                 if proto == "ldaps":
-                    self.logger.debug(f"LDAPs connection to {ldap_url} failed - {e}")
+                    self.logger.fail(f"LDAPs connection to {ldap_url} failed - {e}")
                     # https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority
-                    self.logger.debug("Even if the port is open, LDAPS may not be configured")
+                    self.logger.fail("Even if the port is open, LDAPS may not be configured")
                 else:
-                    self.logger.debug(f"LDAP connection to {ldap_url} failed: {e}")
-                return [None, None, None]
+                    self.logger.fail(f"LDAP connection to {ldap_url} failed: {e}")
+                exit(1)
 
             resp = ldap_connection.search(
                 scope=ldapasn1_impacket.Scope("baseObject"),

nxc/protocols/ldap/laps.py

@@ -1,5 +1,3 @@
-import binascii
-import hashlib
 from json import loads
 from pyasn1.codec.der import decoder
 from pyasn1_modules import rfc5652
@@ -37,12 +35,13 @@ def __init__(self, host, port, hostname):
     def proto_logger(self, host, port, hostname):
         self.logger = NXCAdapter(extra={"protocol": "LDAP", "host": host, "port": port, "hostname": hostname})
 
-    def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False):
+    def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False, dns_server=""):
         lmhash = ""
         nthash = ""
 
-        if kdcHost is None:
-            kdcHost = domain
+        if kdcHost is None or domain not in kdcHost:
+            self.logger.fail("Please provide the FQDN of the domain controller with --kdcHost")
+            exit(1)
 
         # This checks to see if we didn't provide the LM Hash
         if ntlm_hash and ntlm_hash.find(":") != -1:
@@ -54,12 +53,13 @@ def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="",
         baseDN = ""
         domainParts = domain.split(".")
         for i in domainParts:
-            baseDN += f"dc={i},"
+            baseDN += f"DC={i},"
         # Remove last ','
         baseDN = baseDN[:-1]
 
         try:
-            ldap_connection = ldap_impacket.LDAPConnection(f"ldap://{kdcHost}", baseDN)
+            self.logger.info(f"Connecting to ldap://{kdcHost} - {baseDN} - {domain} [1]")
+            ldap_connection = ldap_impacket.LDAPConnection(f"ldap://{kdcHost}", baseDN, dns_server if dns_server else domain)
             ldap_connection.kerberosLogin(
                 username,
                 password,
@@ -78,7 +78,7 @@ def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="",
             if str(e).find("strongerAuthRequired") >= 0:
                 # We need to try SSL
                 try:
-                    ldap_connection = ldap_impacket.LDAPConnection(f"ldaps://{kdcHost}", baseDN)
+                    ldap_connection = ldap_impacket.LDAPConnection(f"ldaps://{kdcHost}", baseDN, dns_server if dns_server else domain)
                     ldap_connection.login(
                         username,
                         password,
@@ -105,18 +105,14 @@ def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="",
                     color="magenta" if error_code in ldap_error_status else "red",
                 )
             return False
-
         except OSError:
             self.logger.debug(f"{domain}\\{username}:{password if password else ntlm_hash} {'Error connecting to the domain, please add option --kdcHost with the FQDN of the domain controller'}")
             return False
         except KerberosError as e:
-            self.logger.fail(
-                f"{domain}\\{username}:{password if password else ntlm_hash} {e!s}",
-                color="red",
-            )
+            self.logger.fail(f"{domain}\\{username}:{password if password else ntlm_hash} {e!s}", color="red")
             return False
 
-    def auth_login(self, domain, username, password, ntlm_hash):
+    def auth_login(self, domain, username, password, ntlm_hash, dns_server):
         lmhash = ""
         nthash = ""
 
@@ -135,7 +131,7 @@ def auth_login(self, domain, username, password, ntlm_hash):
         base_dn = base_dn[:-1]
 
         try:
-            ldap_connection = ldap_impacket.LDAPConnection(f"ldap://{domain}", base_dn, domain)
+            ldap_connection = ldap_impacket.LDAPConnection(f"ldap://{domain}", base_dn, dns_server if dns_server else domain)
             ldap_connection.login(username, password, domain, lmhash, nthash)
 
             # Connect to LDAP
@@ -148,7 +144,7 @@ def auth_login(self, domain, username, password, ntlm_hash):
             if str(e).find("strongerAuthRequired") >= 0:
                 # We need to try SSL
                 try:
-                    ldap_connection = ldap_impacket.LDAPConnection(f"ldaps://{domain}", base_dn, domain)
+                    ldap_connection = ldap_impacket.LDAPConnection(f"ldaps://{domain}", base_dn, dns_server if dns_server else domain)
                     ldap_connection.login(username, password, domain, lmhash, nthash)
                     self.logger.extra["protocol"] = "LDAPS"
                     self.logger.extra["port"] = "636"
@@ -173,7 +169,7 @@ def auth_login(self, domain, username, password, ntlm_hash):
 
 
 class LAPSv2Extract:
-    def __init__(self, data, username, password, domain, ntlm_hash, do_kerberos, kdcHost, port):
+    def __init__(self, data, username, password, domain, ntlm_hash, do_kerberos, kdcHost, port, dns_server):
         if ntlm_hash.find(":") != -1:
             self.lmhash, self.nthash = ntlm_hash.split(":")
         else:
@@ -187,6 +183,7 @@ def __init__(self, data, username, password, domain, ntlm_hash, do_kerberos, kdc
         self.do_kerberos = do_kerberos
         self.kdcHost = kdcHost
         self.logger = None
+        self.dns_server = dns_server
         self.proto_logger(self.domain, port, self.domain)
 
     def proto_logger(self, host, port, hostname):
@@ -218,7 +215,7 @@ def run(self):
             gke = kds_cache[key_id["RootKeyId"]]
         else:
             # Connect on RPC over TCP to MS-GKDI to call opnum 0 GetKey
-            string_binding = hept_map(destHost=self.domain, remoteIf=MSRPC_UUID_GKDI, protocol="ncacn_ip_tcp")
+            string_binding = hept_map(destHost=self.domain if not self.dns_server else self.dns_server, remoteIf=MSRPC_UUID_GKDI, protocol="ncacn_ip_tcp")
             rpc_transport = transport.DCERPCTransportFactory(string_binding)
             if hasattr(rpc_transport, "set_credentials"):
                 rpc_transport.set_credentials(username=self.username, password=self.password, domain=self.domain, lmhash=self.lmhash, nthash=self.nthash)
@@ -263,7 +260,7 @@ def run(self):
         return plaintext[:-18].decode("utf-16le")
 
 
-def laps_search(self, username, password, cred_type, domain):
+def laps_search(self, username, password, cred_type, domain, dns_server):
     prev_protocol = self.logger.extra["protocol"]
     prev_port = self.logger.extra["port"]
     self.logger.extra["protocol"] = "LDAP"
@@ -274,7 +271,7 @@ def laps_search(self, username, password, cred_type, domain):
     if self.kerberos:
         if self.kdcHost is None:
             self.logger.fail("Add --kdcHost parameter to use laps with kerberos")
-            return None, None, None, None
+            return None, None, None
 
         connection = ldapco.kerberos_login(
             domain[0],
@@ -283,18 +280,20 @@ def laps_search(self, username, password, cred_type, domain):
             password[0] if cred_type[0] == "hash" else "",
             kdcHost=self.kdcHost,
             aesKey=self.aesKey,
+            dns_server=dns_server
         )
     else:
         connection = ldapco.auth_login(
             domain[0],
             username[0] if username else "",
             password[0] if cred_type[0] == "plaintext" else "",
             password[0] if cred_type[0] == "hash" else "",
+            dns_server
         )
     if not connection:
         self.logger.fail(f"LDAP connection failed with account {username[0]}")
 
-        return None, None, None, None
+        return None, None, None
 
     search_filter = "(&(objectCategory=computer)(|(msLAPS-EncryptedPassword=*)(ms-MCS-AdmPwd=*)(msLAPS-Password=*))(name=" + self.hostname + "))"
     attributes = [
@@ -325,13 +324,14 @@ def laps_search(self, username, password, cred_type, domain):
                     password[0] if cred_type[0] == "hash" else "",
                     self.kerberos,
                     self.kdcHost,
-                    339
+                    339,
+                    dns_server
                 )
                 try:
                     data = d.run()
                 except Exception as e:
                     self.logger.fail(str(e))
-                    return None, None, None, None
+                    return None, None, None
                 r = loads(data)
                 msMCSAdmPwd = r["p"]
                 username_laps = r["n"]
@@ -346,21 +346,17 @@ def laps_search(self, username, password, cred_type, domain):
         self.logger.debug(f"Host: {sAMAccountName:<20} Password: {msMCSAdmPwd} {self.hostname}")
     else:
         self.logger.fail(f"msMCSAdmPwd or msLAPS-Password is empty or account cannot read LAPS property for {self.hostname}")
-        return None, None, None, None
+        return None, None, None
 
     if msMCSAdmPwd == "":
         self.logger.fail(f"msMCSAdmPwd or msLAPS-Password is empty or account cannot read LAPS property for {self.hostname}")
-        return None, None, None, None
-
-    hash_ntlm = None
-    if cred_type[0] == "hash":
-        hash_ntlm = hashlib.new("md4", msMCSAdmPwd.encode("utf-16le")).digest()
-        hash_ntlm = binascii.hexlify(hash_ntlm).decode()
+        return None, None, None
 
     username = username_laps if username_laps else self.args.laps
     password = msMCSAdmPwd
     domain = self.hostname
     self.args.local_auth = True
+    self.args.kerberos = False
     self.logger.extra["protocol"] = prev_protocol
     self.logger.extra["port"] = prev_port
-    return username, password, domain, hash_ntlm
+    return username, password, domain

nxc/protocols/ldap/proto_args.py

@@ -33,6 +33,6 @@ def proto_args(parser, parents):
 
     bgroup = ldap_parser.add_argument_group("Bloodhound Scan", "Options to play with Bloodhoud")
     bgroup.add_argument("--bloodhound", action="store_true", help="Perform a Bloodhound scan")
-    bgroup.add_argument("-c", "--collection", default="Collection", help="Which information to collect. Supported: Group, LocalAdmin, Session, Trusts, Default, DCOnly, DCOM, RDP, PSRemote, LoggedOn, Container, ObjectProps, ACL, All. You can specify more than one by separating them with a comma")
+    bgroup.add_argument("-c", "--collection", default="Default", help="Which information to collect. Supported: Group, LocalAdmin, Session, Trusts, Default, DCOnly, DCOM, RDP, PSRemote, LoggedOn, Container, ObjectProps, ACL, All. You can specify more than one by separating them with a comma")
 
     return parser

nxc/protocols/smb.py

@@ -215,6 +215,7 @@ def enum_host_info(self):
             if "STATUS_NOT_SUPPORTED" in str(e):
                 # no ntlm supported
                 self.no_ntlm = True
+                self.logger.debug("NTLM not supported")
 
         # self.domain is the attribute we authenticate with
         # self.targetDomain is the attribute which gets displayed as host domain
@@ -224,8 +225,20 @@ def enum_host_info(self):
             if not self.targetDomain:   # Not sure if that can even happen but now we are safe
                 self.targetDomain = self.hostname
         else:
-            self.hostname = self.host
-            self.targetDomain = self.hostname
+            # If we can't authenticate with NTLM and the target is supplied as a FQDN we must parse it
+            try:
+                import socket
+                socket.inet_aton(self.host)
+                self.logger.fail("NTLM authentication not available! Authentication will fail without a valid hostname and domain name")
+                self.hostname = self.host
+                self.targetDomain = self.host
+            except OSError:
+                if self.host.count(".") >= 1:
+                    self.hostname = self.host.split(".")[0]
+                    self.targetDomain = ".".join(self.host.split(".")[1:])
+                else:
+                    self.hostname = self.host
+                    self.targetDomain = self.host
 
         self.domain = self.targetDomain if not self.args.domain else self.args.domain
 
@@ -236,10 +249,14 @@ def enum_host_info(self):
         # As of June 2024 Samba will always report the version as "Windows 6.1", apparently due to a bug https://stackoverflow.com/a/67577401/17395725
         # Together with the reported build version "0" by Samba we can assume that it is a Samba server. Windows should always report a build version > 0
         # Also only on Windows we should get an OS arch as for that we would need MSRPC
-        self.server_os = self.conn.getServerOS()
-        self.server_os_major = self.conn.getServerOSMajor()
-        self.server_os_minor = self.conn.getServerOSMinor()
-        self.server_os_build = self.conn.getServerOSBuild()
+        try:
+            self.server_os = self.conn.getServerOS()
+            self.server_os_major = self.conn.getServerOSMajor()
+            self.server_os_minor = self.conn.getServerOSMinor()
+            self.server_os_build = self.conn.getServerOSBuild()
+        except KeyError:
+            self.logger.debug("Error getting server information...")
+
         if "Windows 6.1" in self.server_os and self.server_os_build == 0 and self.os_arch == 0:
             self.server_os = "Unix - Samba"
         elif self.server_os_build == 0 and self.os_arch == 0:
@@ -259,14 +276,17 @@ def enum_host_info(self):
         self.os_arch = self.get_os_arch()
         self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-"))
 
-        self.db.add_host(
-            self.host,
-            self.hostname,
-            self.domain,
-            self.server_os,
-            self.smbv1,
-            self.signing,
-        )
+        try:
+            self.db.add_host(
+                self.host,
+                self.hostname,
+                self.domain,
+                self.server_os,
+                self.smbv1,
+                self.signing,
+            )
+        except Exception as e:
+            self.logger.debug(f"Error adding host {self.host} into db: {e!s}")
 
         try:
             # DCs seem to want us to logoff first, windows workstations sometimes reset the connection
@@ -713,11 +733,12 @@ def execute(self, payload=None, get_output=False, methods=None):
                 self.logger.fail("Command execution blocked by AMSI")
                 return None
 
-            if (self.args.execute or self.args.ps_execute) and output:
+            if (self.args.execute or self.args.ps_execute):
                 self.logger.success(f"Executed command via {current_method}")
-                output_lines = StringIO(output).readlines()
-                for line in output_lines:
-                    self.logger.highlight(line.strip())
+                if output:
+                    output_lines = StringIO(output).readlines()
+                    for line in output_lines:
+                        self.logger.highlight(line.strip())
             return output
         else:
             self.logger.fail(f"Execute command failed with {current_method}")

nxc/protocols/smb/mmcexec.py

@@ -103,7 +103,8 @@ def __init__(self, target, share_name, username, password, domain, smbconnection
         )
         try:
             iInterface = self.__dcom.CoCreateInstanceEx(string_to_bin("49B2791A-B1AE-4C90-9B8E-E860BA07F889"), IID_IDispatch)
-        except Exception:
+        except Exception as e:
+            self.logger.info(f"Got Exception while connecting with DCOM: {e}")
             # Make it force break function
             self.__dcom.disconnect()
         flag, self.__stringBinding = dcom_FirewallChecker(iInterface, self.__remoteHost, self.__timeout)